Identification, Validation and Authentication: All Different But Not All Compliant

Measures to prevent financial aid fraud should not be confused with those designed to maximize academic integrity; they are two different concerns that require different prevention tactics.

There is much talk surrounding how colleges and universities will need to change to comply with the Department of Education (DOE)’s new student identity guidelines.

The new guidelines will be directed at online education providers, where there are more reported incidences of fraud than any other; the most serious being financial aid fraud. There is a great deal of misinformation in this space, and it’s important to note this is not an academic integrity guideline. As such, mitigating assignment or portal identity fraud, while needful, is not the aim of the new regulations.

In addition, confusion is created by a misunderstanding of the definition of the words used to describe the process. The Office of Inspector General (OIG) is recommending the DOE create authentication compliance standards and, as with any new legislation, many companies are there to solve the problem. However, many companies and experts are creating confusion.

The first area of confusion is in the terms. Identification, validation and authentication are not the same, and they accomplish different goals:

Identification

Identification is basic: a student is assigned a login and password identity to access secure information such as an online class or school portal. The student is granted this access through an admissions process.

Identification does have some validation for the initial process, but is not itself a validation process. Identity is established for official interaction with the institution.

Validation

Validation is showing something to substantiate the identity you claim to be. Validation can be a driver’s license, picture or any additional documentation that can support the identity claim being made. The key difference is relying on some other provider as a way of validating the identity claim. Validation helps to reduce fraud by requiring multiple documented identities that are the same. The chance that one identity is fraudulently replicated in other documents exactly the same way is theoretically possible, but remote. In many ways, sending an access code to a phone could be validation since it is relying on nothing more than a person claiming to be the same person that owns the phone.

Authentication

Authentication is something unique to the individual that cannot easily be duplicated or repeated by anyone other than the individual. Optical (retina) or facial recognition can provide authentication, but true authentication is more than showing a face on a camera, and the cost of this technology puts it out of reach of most institutions. There is good research to support going back to the days of Morse code, as the way one person types out Morse code is unique. Typing style is also unique to an individual.

The idea that there’s a way to authenticate and identify is not new; what’s new is legal requirements by the DOE to make an authentication process mandatory. In addition to the typing authentication models, there are also biometrical authentication processes where style and keystroke metrics are captured, recorded as data and used to authenticate an identity. This can be done at a reasonable cost to the student or institution.

The Difference between Academic Integrity and Fraud Prevention

The need to introduce authentication measures is not an academic integrity provision, but a fraud prevention requirement. Academic integrity is important, but not at the federal level; financial aid fraud is the target for the DOE. The danger in not understanding the difference is the danger of being out of Title IV compliance. In the latest audit released in February from the OIG, it’s clearly stated that simply having unique logins and passwords does not meet the guideline for student identification. Validation may, but the OIG language suggests authentication is the preferred process. More regulation is coming through Title IV than through a negotiated rulemaking session. Once funding is tied to a rule, the DOE will be able to move more deliberately.

There is more confusion being created as some suggest that authenticating for a test taken online meets the requirement. The requirement is more far-reaching than one item, or academic integrity. The DOE relies on accreditation for integrity guidelines in most cases. The OIG recommendations seek to reduce fraud in admissions, financial aid and student identity in an online class. Simply catching a student cheating in an online test, while a worthy goal for academic honesty, will not meet the guidelines and will not reduce financial aid fraud overall.

Institutions need to understand the risk; in the virtual world, one can be many. One person can seek financial aid for many. If a low-tuition institution such as a community college is targeted for this kind of fraud, where one person fraudulently acts while many students maximize their financial aid, the potential loss is significant.

It’s this risk that the OIG seeks to mitigate, and it can only be accomplished with authentication. The challenge is to parse through the claims. The key is finding unique individual artifacts that can be captured data points requiring some action to substantiate in an authentication process. Phone calls, text routines and voice (simple phone recognition, not the authentication voice software) processes are not authentication; they are validation and will present challenges for compliance.

Title IV of the Higher Education Act Programs, “Additional Safeguards Are Needed to Help Mitigate the Risks That Are Unique to the Distance Education Environment,” Final Audit Report ED-OIG/A07L0001, February 2014

Readers Comments

I’m no tech or security expert, so what I’m suggesting may not be possible, but I wonder if institutions couldn’t create a system or process that could simultaneously deal with both academic integrity and financial fraud. It seems to me that having to use different tactics to target each would not only be expensive, but could lead to the confusion and challenges that arise when using multiple systems (e.g. incompatibility, work duplication, system strain, etc.)

Good article clarifying the revised OIG and DOE expectations on the way. Institutions should be proactive in implementing the authentication requirements as a way to protect themselves from fraud, and to make sure their processes are in line with federal requirements, which Title IV funding may eventually be tied to.

In their rush to enter the online market, many institutions didn’t do their due diligence to protect themselves from risk, like they would have for a bricks-and-mortar extension. For example, when you design a new campus building, you would think of security requirements, alarm systems, fire codes, insurance and so on. The same should be done for online education. The new DOE requirements are simply moving institutions toward the same security standards in the online world as would exist for their bricks-and-mortar buildings.